Automatic ASIL Decomposition Q3 Concept Presentation 1

Size: px

Start display at page:

Download "Automatic ASIL Decomposition Q3 Concept Presentation 1"

Helena Matthews
5 years ago
Views:

1 Automatic ASIL Decomposition 2011 Q3 Concept Presentation 1

2 Background ISO is the new automotive safety standard It uses ASILs Automotive Safety Integrity Levels to represent required levels of safety in a system ASILs can be decomposed over a system A high ASIL can be met by multiple redundant components working together, each with a lower ASIL Many possible ways to decompose ASILs Hence the importance of automating ASIL decomposition Allows the best strategies to be found more quickly 2011 Q2 Automatic ASIL Decomposition 2

ASILs in ISO 26262 Definition of ASILs Carried out during Risk Assessment Each Hazardous Event is assigned an ASIL (from A-D, or QM) ASIL D is the highest, ASIL A the lowest QM means no special

3 ASILs in ISO Definition of ASILs Carried out during Risk Assessment Each Hazardous Event is assigned an ASIL (from A-D, or QM) ASIL D is the highest, ASIL A the lowest QM means no special safety requirement Choice of ASIL is based on controllability, severity, and exposure time Requires prior hazard analysis of system Corresponding safety goals & safe states should also be defined 2011 Q2 Automatic ASIL Decomposition 3

4 ASILs in ISO FTA is carried out as part of Functional Safety Requirements definition ASILs decomposed and allocated to system functions/components Decomposition is determined by system failure logic (i.e. AND vs OR) The ASIL assigned is determined by an ASIL algebra (e.g. ASIL C = B + A) Can be many possible ASIL assignments This makes it difficult to perform manually 2011 Q2 Automatic ASIL Decomposition 4

ASILs in ISO 26262 Decomposition allows greater granularity of safety requirements Not all parts of the system need to conform

5 ASILs in ISO Decomposition allows greater granularity of safety requirements Not all parts of the system need to conform to the highest levels of safety Allows resources to be focused on the most critical elements 2011 Q2 Automatic ASIL Decomposition 5

6 ASILs in EAST-ADL EAST-ADL provides support for hazard analysis and assignment of ASILs Hazards link to the error model, allowing them to be used in safety analysis Safety requirements are traceable across EAST-ADL layers class Dependability TraceableSpeci fi cati on Hazard Item EAPackageableEl ement + developmentcategory: DevelopmentCategoryKi nd +i tem 1..* +hazard 1..* TraceableSpecifi cati on FeatureFlaw HazardousEvent + cl a si fi cati ona sumptions: String [0..1] + controllabi lity: Controll abili tyclasski nd + exposure: ExposureClassKind + hazardcl a si fi cati on: ASILK ind + severi ty: Severi tyclasski nd Traceabl especification Requirements:: OperationalSituation 1..* +item 1..* +malfuncti on +traffi c * * +envi ronment +nonfulfi ll edrequi rement EA Element SafetyRequirement::SafetyGoal + hazardclassification: ASILKi nd + safestates: String [0..1] +deri vedfrom 1..* TraceableSpecifi cati on 1..* Traceabl especification UseCases::UseCase Feature VehicleFeatureModeling::VehicleFeature +vehi cl efeature + i scustomerv isibl e: Boolean 1..* + i sdesignvari abi li tyrationale: B ool ean + i sremoved: Bool ean * RequirementSpeci fi cati onobject Requirements::Requirement + formali sm: Stri ng [0..1] + url : Stri ng [0..1] +requirement 1..* +operati onal Si tuationusecase +mode * * +safemodes EA Element Behavior::Mode +operati ngmode * + condi ti on: E ADatatypePrototype 2011 Q2 Automatic ASIL Decomposition 6

7 ASILs in EAST-ADL Hazard Analysis performed on vehicle feature level ASILs are assigned to Hazardous Events Initial safety analysis carried out on later levels FTA and/or FMEA can be applied on FAA/FDA models Detailed information about failure modes is unnecessary Propagation logic is what matters ASIL decomposition & allocation can then take place Can also make assumptions about ASILs for SEooC Safety Element out of Context no context in which to perform hazard analysis 2011 Q2 Automatic ASIL Decomposition 7

FTA and ASIL decomposition System failure logic is represented by fault trees Results of fault tree analysis (FTA) are cut sets Cut sets represent

8 FTA and ASIL decomposition System failure logic is represented by fault trees Results of fault tree analysis (FTA) are cut sets Cut sets represent combinations of failures that can cause a hazard ASILs for that hazard can therefore be decomposed to the failures in the cut sets 2011 Q2 Automatic ASIL Decomposition 8

9 ASIL decomposition algorithm ASILs from top level failures are decomposed across the cut sets that cause those failures Multiple failure events in a cut set mean all must occur to cause the system failure Decomposition of ASILs is based on ASIL algebra: Each ASIL is worth one point (ASIL A = 1, ASIL B = 2 etc) Sum of constituents should be >= overall ASIL e.g. if A = 1 and C = 3, then A + A + A = C For any given cut set, there are a maximum of p = (m + 1) n permutations p = assignments, m = max ASIL, n = number of events 2011 Q2 Automatic ASIL Decomposition 9

10 ASIL decomposition algorithm Each cut set is covered by a decomposed ASIL Cut sets are iterated and for each one, all permutations of possible ASIL assignments are generated Assignments that meet requirements are kept, and those that do not are discarded Example: simple function with two system failures (omission + commission) and four basic events FE1 FE2 FE3 Omission = FE1 AND FE2 -- Assigned ASIL C Commission = (FE2 AND FE3) OR FE4 -- Assigned ASIL D FE Q2 Automatic ASIL Decomposition 10

11 ASIL decomposition algorithm All possible assignments for Omission (ASIL C) FE1/FE2 QM/QM QM/A QM/B QM/C QM/D FE1/FE2 A/QM A/A A/B A/C A/D FE1/FE2 B/QM B/A B/B B/C B/D FE1/FE2 C/QM C/A C/B C/C C/D FE1/FE2 D/QM D/A D/B D/C D/D Blue ones do not meet requirements discard Black ones are optimal precisely meet requirements Red ones are potentially redundant (overly strict) but still need to be explored further 2011 Q2 Automatic ASIL Decomposition 11

12 ASIL decomposition algorithm For each valid assignment for Omission (ASIL C), we test possible assignments for Commission (ASIL D) FE1 FE2 FE3 FE4 QM A B C QM C B A A QM B C D D FE4 can only be ASIL D (single cause) FE2 is set by Omission, so does not change with FE3 To be accepted, FE2 + FE3 must be ASIL D Assignments Found: QM : C : A : D QM : C : B : D QM : C : C : D QM : C : D : D A : B : B : D A : B : C : D A : B : D : D B : A : C : D B : A : D : D C : QM : D : D 2011 Q2 Automatic ASIL Decomposition 12

13 ASIL decomposition algorithm 65 results, of which all but 5 are redundant QM:C:A:D QM:C:B:D QM:C:C:D QM:C:D:D QM:D:QM:D QM:D:A:D QM:D:B:D QM:D:C:D QM:D:D:D A:B:B:D A:B:C:D A:B:D:D A:C:A:D A:C:B:D A:C:C:D A:C:D:D A:D:QM:D A:D:A:D A:D:B:D A:D:C:D A:D:D:D B:A:C:D B:A:D:D B:B:B:D B:B:C:D B:B:D:D B:C:A:D B:C:B:D B:C:C:D B:C:D:D B:D:QM:D B:D:A:D B:D:B:D B:D:C:D B:D:D:D C:QM:D:D C:A:C:D C:A:D:D C:B:B:D C:B:C:D C:B:D:D C:C:A:D C:C:B:D C:C:C:D C:C:D:D C:D:QM:D C:D:A:D C:D:B:D C:D:C:D C:D:D:D D:QM:D:D D:A:C:D D:A:D:D D:B:B:D D:B:C:D D:B:D:D D:C:A:D D:C:B:D D:C:C:D D:C:D:D D:D:QM:D D:D:A:D D:D:B:D D:D:C:D D:D:D:D 2011 Q2 Automatic ASIL Decomposition 13

14 ASIL decomposition algorithm Can use heuristics to sort the remainder Using sum of ASIL values (i.e. A=1, B=2, C=3, D=4): QM:C:A:D = 8 QM:D:QM:D = 8 A:B:B:D = 9 B:C:A:D = 10 C:QM:D:D = 11 Using increasing points for ASIL values (A=1, B=10, C= 100 etc): A:B:B:D = 1021 QM:C:A:D = 1101 B:C:A:D = 1111 QM:D:QM:D = 2000 C:QM:D:D = 2100 This helps the analyst decide on the preferred option There may not be a single best option More likely to be trade-offs between equivalent options Higher ASIL for one element means lower ASIL on another, and vice versa 2011 Q2 Automatic ASIL Decomposition 14

15 ASIL assignment Once an ASIL assignment for the failure modes has been chosen, ASILs can also be assigned to other parts of the model Can assign ASILs to input and output errors, to trace the propagation of failures Can also assign ASILs to ports/interfaces of a component or function ASILs can also be assigned to entire components/functions or subsystems This also allows for ASILs to be assigned to process faults of functions 2011 Q2 Automatic ASIL Decomposition 15

16 Optimisation of ASILs Automatic ASIL decomposition is a good candidate for automatic optimisation algorithms When there are lots of possible assignments, exhaustive search becomes impractical Exhaustive search is subject to combinatorial explosion For a single 4 event cut set, there are 625 permutations In these cases, optimisation could be used Objective is to meet requirements at lowest cost (i.e. lowest total ASIL heuristic value) Optimisation algorithms are more scalable as they are designed to explore large search spaces efficiently 2011 Q2 Automatic ASIL Decomposition 16

17 Future tool integration Plan for rest of MAENAD is to integrate this technology into tools HiP-HOPS provides the analysis capability Papyrus provides modelling capability Intention is to start ASIL decomposition directly from Papyrus as with other analysis plugins Some challenges still remain Find a more scalable approach e.g. with optimisation Could use a hybrid method: Exhaustive algorithm for smaller models Optimisation for larger models How to present results and where to store them in the model 2011 Q2 Automatic ASIL Decomposition 17

18 Summary EAST-ADL support for hazard analysis and ASIL decomposition is important to conform to ISO But ASIL decomposition is difficult to perform manually Prototype version implemented in HiP-HOPS Allows more rapid determination of ASIL assignments Can use optimisation to increase efficiency 2011 Q2 Automatic ASIL Decomposition 18

Automatic Decomposition of Safety Integrity Levels: Optimization by Tabu Search

Automatic Decomposition of Safety Integrity Levels: Optimization by Tabu Search Luis Silva Azevedo, David Parker, Martin Walker, Yiannis Papadopoulos, Rui Esteves Araùjo To cite this version: Luis Silva